MTA-STS: Secure Email Delivery Setup Guide

Email remains a cornerstone of digital communication, yet its underlying protocol, SMTP, was not originally designed with robust security in mind. While Transport Layer Security (TLS) has become standard for encrypting email in transit, its implementation often relies on opportunistic TLS. This means that if a secure connection cannot be established, the email sender (the sending Mail Transfer Agent, or MTA) will often fall back to an unencrypted connection, leaving data vulnerable to interception and tampering. This critical vulnerability is precisely what MTA-STS (Mail Transfer Agent Strict Transport Security) aims to address.

This article will demystify MTA-STS, explaining its core components and how it works to enforce secure email delivery. More importantly, we’ll provide a practical, step-by-step guide on how to implement MTA-STS and its companion, TLSRPT, for your domain, significantly enhancing the security and integrity of your email communications.

Understanding MTA-STS: Enforcing TLS for Email

MTA-STS is an internet standard (RFC 8461) designed to prevent downgrade and man-in-the-middle (MITM) attacks on SMTP connections. It builds upon the concept of HTTP Strict Transport Security (HSTS) but applies it to email. Essentially, MTA-STS allows a domain to declare that its Mail Exchange (MX) servers must only accept incoming email over a secure TLS connection with a valid, trusted certificate. If a sending MTA attempts to deliver email to an MTA-STS-enabled domain and cannot establish a connection that meets these security requirements, it will refuse to send the email rather than downgrade to an insecure connection.

How MTA-STS Works

The MTA-STS mechanism involves three primary components:

A DNS TXT record: This record, published on the sending domain, announces that MTA-STS is enabled and points to the location of the domain’s policy file. It also includes an id tag to signal policy updates.
A Policy File: Hosted on a dedicated HTTPS endpoint, this file specifies the domain’s MTA-STS policy. It defines which MX hosts are authorized and what TLS security requirements apply.
TLS Reporting (TLSRPT): An optional but highly recommended companion standard (RFC 8460) that allows a domain to receive aggregate reports on TLS connection failures, helping administrators monitor and troubleshoot their MTA-STS implementation.

When a sending MTA (e.g., Gmail, Outlook.com) wants to send an email to yourdomain.com, it first checks for an MTA-STS policy. If found, it fetches the policy file from mta-sts.yourdomain.com over HTTPS. It then caches this policy for a specified duration (max_age). For subsequent email deliveries, the sending MTA will only attempt to connect to yourdomain.com’s MX servers via TLS, verifying the certificate against the policy. If any aspect of the connection (e.g., no TLS, invalid certificate, MX host not listed in policy) fails, the email delivery is halted, protecting it from potential interception.

Note: MTA-STS is a client-side enforcement mechanism. It secures incoming email for your domain from MTA-STS aware sending MTAs. Your outgoing email security relies on the recipient’s MTA-STS policy (if any) or DANE (DNS-based Authentication of Named Entities) for full end-to-end enforcement.

The Problem It Solves

Opportunistic TLS, while better than no encryption, is susceptible to:

Downgrade Attacks: An attacker can strip TLS from the connection, forcing the sending MTA to transmit email in plaintext.
MITM Attacks: An attacker can intercept the connection, present a fake certificate, and read/modify email content without detection if the sending MTA doesn’t strictly validate certificates.
Configuration Errors: If your MX records point to a server that suddenly loses its TLS configuration, opportunistic TLS would simply fall back to unencrypted, whereas MTA-STS would prevent delivery.

MTA-STS eliminates these vulnerabilities by mandating TLS and certificate validation, ensuring that email is either delivered securely or not at all.

Email security lock — Photo by FlyD on Unsplash

The MTA-STS Policy File Deep Dive

The core of MTA-STS lies in its policy file. This is a plain text file served over HTTPS at a specific, well-known URL.

Policy File Structure

The policy file uses a simple key-value pair format:

version: STSv1
mode: enforce
max_age: 604800
mx: mail.yourdomain.com
mx: backup.yourdomain.com

Let’s break down each directive:

version: STSv1: This is a mandatory field indicating the policy version. Currently, STSv1 is the only defined version.
mode: This crucial directive defines how strict the policy is.
- testing: Sending MTAs will still deliver email even if the TLS connection fails to meet the policy requirements. However, they will generate TLSRPT reports detailing these failures. This mode is essential for initial deployment and monitoring.
- enforce: Sending MTAs must adhere to the policy. If any requirement is not met, email delivery will be aborted. This is the desired end-state for maximum security.
- none: This mode disables MTA-STS for the domain, effectively telling sending MTAs to remove any cached policy.
max_age: A positive integer representing the number of seconds the sending MTA should cache the policy. A typical value is 604800 (7 days). A longer max_age means sending MTAs will check for policy updates less frequently. Be cautious with very long values in testing mode, as policy changes will take longer to propagate.
mx: This directive lists the fully qualified domain names (FQDNs) of your valid MX hosts. All MX records for your domain that are intended to receive email must be listed here. Sending MTAs will only connect to MX hosts specified in this list. You can use a wildcard for subdomains, e.g., mx: *.yourdomain.com, but it’s generally more secure to list specific hosts.

Setting Up MTA-STS: A Practical Guide

Implementing MTA-STS involves several steps, spanning DNS, web server configuration, and continuous monitoring.

Step 1: Ensure TLS is Fully Configured for Your MX Records

Before enabling MTA-STS, it is absolutely critical that all your MX servers are configured to accept TLS connections with valid, publicly trusted certificates. If they are not, enabling MTA-STS in enforce mode will cause legitimate email to be rejected.

Verify your mail servers listen on port 25 for opportunistic TLS and 587 for submission, and that a valid, non-expired TLS certificate is installed and correctly configured for each MX host.
Test your existing MX records with tools like hardenize.com or checktls.com to confirm TLS is working correctly.

Step 2: Create the MTA-STS Policy File

Based on your MX records and desired mode, create a text file named mta-sts.txt.

Example mta-sts.txt for yourdomain.com:

version: STSv1
mode: testing
max_age: 86400
mx: mail.yourdomain.com
mx: mail2.yourdomain.com

Recommendation: Start with mode: testing and a short max_age (e.g., 86400 for 24 hours) to gather reports before switching to enforce.

Step 3: Host the Policy File on a Web Server

The policy file must be accessible via HTTPS at a very specific endpoint: https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.

Create a subdomain: mta-sts.yourdomain.com.
Obtain a valid SSL/TLS certificate for mta-sts.yourdomain.com. This certificate must be trusted by common root Certificate Authorities.
Configure a web server (e.g., Nginx, Apache, Caddy) to serve the mta-sts.txt file at the specified path. The server must respond to requests over HTTPS on port 443.

Example Nginx configuration snippet:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name mta-sts.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/mta-sts.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mta-sts.yourdomain.com/privkey.pem;

    location /.well-known/mta-sts.txt {
        add_header Content-Type "text/plain";
        return 200 "version: STSv1\nmode: testing\nmax_age: 86400\nmx: mail.yourdomain.com\n";
        # Alternatively, serve a static file:
        # root /var/www/mta-sts.yourdomain.com;
        # try_files /.well-known/mta-sts.txt =404;
    }
}

Ensure that the web server correctly serves the mta-sts.txt file with a Content-Type of text/plain.

Step 4: Publish the DNS TXT Record for MTA-STS

This DNS record signals to sending MTAs that your domain supports MTA-STS and where to find the policy.

Create a TXT record for the hostname _mta-sts.yourdomain.com.
The value of the TXT record should be v=STSv1; id=YYYYMMDDHHMMSS;.
- v=STSv1: Specifies the version of the MTA-STS protocol.
- id=YYYYMMDDHHMMSS: A unique identifier for your policy. This is critical. Every time you update your mta-sts.txt file, you MUST update this id in DNS to signal to sending MTAs that they need to fetch the new policy. A common practice is to use a timestamp for the id.

Example DNS TXT record:

Host: _mta-sts.yourdomain.com
Type: TXT
Value: "v=STSv1; id=20231027153000;"

Step 5: Implement TLS Reporting (TLSRPT)

TLSRPT provides invaluable feedback on how your MTA-STS policy is being enforced (or failing). It allows sending MTAs to send aggregate JSON reports about connection failures.

Create a TXT record for the hostname _smtp._tls.yourdomain.com.
The value of the TXT record should be v=TLSRPTv1; ru=mailto:[email protected];.
- v=TLSRPTv1: Specifies the version of the TLSRPT protocol.
- ru=mailto:[email protected]: This is the email address where reports will be sent. Ensure this mailbox is monitored. You can also specify an HTTPS endpoint for receiving reports, e.g., ru=https://tls-report.yourdomain.com/upload;.

Example DNS TXT record for TLSRPT:

Host: _smtp._tls.yourdomain.com
Type: TXT
Value: "v=TLSRPTv1; ru=mailto:[email protected];"

Network topology with data flow arrows — Photo by Albert Stoynov on Unsplash

Monitoring and Best Practices

Deploying MTA-STS is not a “set it and forget it” task.

Start with testing mode: As iterated, this is crucial. Monitor the TLSRPT reports closely for several weeks. Look for any legitimate email being flagged as a failure.
Analyze TLSRPT Reports: These reports, typically sent daily or weekly, detail connection failures, the reason for failure (e.g., certificate mismatch, no TLS), and the sending MTA’s IP. Tools exist to parse and visualize these JSON reports, making them easier to digest^[1].
Gradual Transition to enforce: Once you are confident that no legitimate email is being impacted in testing mode, update your mta-sts.txt file to mode: enforce and remember to update the id in your DNS TXT record.
Maintain Your Web Server Certificate: The certificate for mta-sts.yourdomain.com must remain valid and trusted. Let’s Encrypt is a popular choice for automating this.
Keep MX Records Updated: Ensure your mta-sts.txt policy file accurately reflects your current MX records. Any changes to your MX infrastructure require an update to the policy file and the DNS id.

MTA-STS, alongside DANE, represents a significant step forward in securing email infrastructure. While DANE offers a more robust, DNSSEC-anchored approach, MTA-STS provides a simpler, more widely adopted mechanism for enforcing TLS. Many major email providers, including Google and Microsoft, actively support MTA-STS, making its adoption a high-impact move for any organization serious about email security^[2].

Conclusion

MTA-STS is a powerful mechanism for enhancing the security and integrity of email communications for your domain. By enforcing TLS and certificate validation, it effectively mitigates the risks of downgrade and man-in-the-middle attacks that plague traditional opportunistic TLS. While its setup requires careful attention to DNS records, web server configuration, and continuous monitoring through TLSRPT, the benefits of preventing email interception and ensuring trusted delivery are undeniable. Adopting MTA-STS is a critical step towards a more secure digital communication landscape, aligning your domain with modern email security best practices and protecting your organization’s valuable information^[3].

References

[1] Global Cyber Alliance. (n.d.). TLSRPT Report Viewer. Available at: https://tlsrpt.globalcyberalliance.org/ (Accessed: November 2025) [2] Google Workspace Admin Help. (n.d.). About MTA-STS. Available at: https://support.google.com/a/answer/9261504 (Accessed: November 2025) [3] Internet Engineering Task Force. (2018). RFC 8461: SMTP MTA Strict Transport Security (MTA-STS). Available at: https://www.rfc-editor.org/rfc/rfc8461 (Accessed: November 2025)